Helping the OSINT community stay curious

The OSINT Puppeteer

When doing OSINT research, especially on social networking platforms, it’s important to use a fake profile, or what we like to call a sock puppet for operational security reasons.

On this week’s blog, we want to provide you with some tips and tricks on how to build a good sock puppet…for research purposes.

Crafting a ‘sock’

Before you create a sock, let’s have a moment and think about who you want to be online.

Questions to consider are: who/what are you researching? And what is his or her expected audience?

Think about how you can blend in. Think about your (clicking) behaviour online, as well as your IP address, browser settings, but also think about your character. Who are you?

Name

If you’re researching someone in another country and the platform requires that you sign up with a name, choose a name that is common in that country. If you’re stuck, check out popular baby names in that country, for example. That might help you get some inspiration for your sock puppet name.

Got a cool name? Always do a quick search on the name. Just to make sure that your chosen name isn’t the biggest criminal in history 😉 Do the same if you’ve also selected a username. You can check a username just by using any search engine, or try namechk.com to see if your username hasn’t already been taken.

Personality

Think about who your sock is and where he or she works? What interests he or she has? Where did he or she go to school? Who are his/her family and friends? Think of paste and future hobby’s and interests for your Sock puppet. Write this down before creating a sock. Look into similar persons or groups online, study their profiles. How do their profiles look like. Try and mimic their online behaviour.

Some platforms have pretty good algorithms which detect how long it takes you to fill in an application form. Because if you are a real person; if I’d ask you what your pet’s name is, what primary school you went to, etc, you could answer me within a few seconds. So if someone takes a long time filling this in online, this might be a warning signal for the algorithm to detect that you are a sock, and that can get you suspended or ip blocked. Writing all this stuff down might help get around the algorithm and lets you type it as a natural person would. Do not copy/paste the information about your sock puppet either, this can also be detected by algorithms.

Depending on how comprehensive you want your sock to be, these might be things you want to take into consideration when creating your sock:

Also, sometimes you’ll get security questions, like “What’s your mother’s name?”. If you don’t write this information down, you won’t be able to answer these questions later on when you forgot the password.

Phone number

A lot of platforms these days require a phone number for account verification. It’s key to have one for your sock. So go to your local drugstore or media store and buy the cheapest prepaid sim card you can get. Don’t sign up to get extra credits and don’t sign a contract, that’s not necessary.

If your country of residence requires you to identify yourself when buying a prepaid sim card, there is always an option to get a voip phone number.

Or, if you travel a lot, buy sim cards in different countries. Sometimes it requires you to activate it in the country where you bought the sim card, so make sure to bring an old phone.

In some countries phone numbers that don’t show activity will be put back in the circuit for someone else to use, make sure you call your voicemail once or twice a month to keep your simcard active.

Put the sim card in an old phone (it can be as old as a Nokia 3210 because you just need to be able to receive verification texts). So now when you create a sock, connect to the phone number to the account.

Make sure you have separate numbers for each sock. Platforms might be alarmed if multiple socks are created with the same number. If necessary; write down the name of the sock on your sim card holder so you’ll always know which number belongs to which sock.

Photos

Maybe social platforms require you add a photo. Especially a photo of a face. This can sometimes be quite a challenge if you’re not willing to upload a photo of your own face.

There are two main options:

1: You can select a stock photo. Either a paid version or a free stock photo. Make sure that you slightly change the photo. You could change the colour to black and white, crop the photo, mirror it or flip it. This way, any algorithm that could automatically detect the use of stock photos will have a very difficult time.

2: Morph a couple of photos together. You can do this in, for example, Photoshop. But if you’re not so crafty in Photoshop, there are a couple of websites willing to help you out. There is morpthing.com or faceplusplus.com. The last one is really good at making morphed photos.

Being the puppeteer

When you’re doing a lot of research, you might need more than just one sock puppet. And controlling these puppets can be quite a challenge. So make sure you create password manager to store all of the sock accounts passwords in, use apps like Rambox or Meetfranz.com to keep your accounts connected. Or just keep a folder on your computer (or in the cloud) or an Excel file with different tabs for your socks where you manage their details, settings and more. That way you always have all of your socks details in one place.

It might also help to keep your accounts ‘alive’. If you want to do this on a regular base, you could create an event calendar so you can plan when to be active with your sock. Make sure if you create a calendar, to also be active outside of your research/work hours. You can also think of making your sock puppet auto-post or like certain things by using ifttt.com recepies.

Do more with your account than the things you’ll need to do for your research. Respond to a message, like something, play a game (with other people), ask a question, etc. This will help keep your sock alive and give the algorithm a hard time detecting you’re a sock. even a passive lurking sock puppet should show activity (signs of life) from time to time.

For active sock puppets who engage in conversations there are a lot more things to keep in mind. For instance the timezone where your sock puppet lives is essential at what time of day you are online or chat. this thing could blow your sock puppets cover is you don’t pay attention. You as the puppeteer will react from your personal bias on topics and conversations. So you may need to react way out of your personal comfort zone to keep your sock puppets identity credible.

Also keep in mind that you might need a credible story is someone doubts your sock puppets identity and starts asking questions. What will you say or do when that happens? And even more important what is de opsec risk when a sock puppet gets exposed as sock puppet? Can it be traced back to you (or company) or your computer? What is the risk of it does?

If you have any other suggestions on how to create the perfect sock or how to be an excellent puppeteer, please leave a comment below!

I’d add onto the use of ifttt for posting to socks… the recipe doesn’t have to correspond to the trigger. So, for instance, you can take prompts from the trigger and craft unrelated responses to make things seem more random, less bot-like. You might even insert an element from the trigger into the post.